Showing results for 
Search instead for 
Did you mean: 

access controls on su

Honored Contributor

access controls on su

In Linux, following files controle the su access

# ll /etc/security/su*
-rw-r--r-- 1 root root 8 Feb 15 2006 /etc/security/suapplmgr
-rw-r--r-- 1 root root 7 Feb 15 2006 /etc/security/suoracle
-rw-r--r-- 1 root root 5 Feb 15 2006 /etc/security/suroot

is there an equivalent in HP-UX or an alternate method!

Tim Nelson
Honored Contributor

Re: access controls on su

As far as I know.

1) su access is only limited to knowing the password of who you are su'ing to

2) if not root then permissions are controlled by standard file permissions and some directives defined in /etc/defaults/security

3) I see others typically use sudo (3rd party app) for this purpose.

man su
man security

for more.

Srini Jay
Valued Contributor

Re: access controls on su

To control who can 'su - root', you can do the following:

1) Create a unique group (say 'some_unique_group')

2) add the following line to /etc/default/security file:

3) add the users who should should be allowed to do 'su root' to this group:

in file /etc/group:


Not sure if there is a way restrict 'su' to other non-root account.


Honored Contributor

Re: access controls on su


a) The method you showed in Linux is based
on PAM.

Since HP-UX supports PAM, I guess it
is possible to do it. In fact,
when I get back from a business trip in two
weeks, I will try it myself.

b) The second option would be SUDO with SUDOSH.

That one I have implemented for a large
company running Solaris, Linux and HP-UX.

c) Finally, if you use HP-UX 11.23 or 11.31,
go for Role Based Access Control (RBAC).

Such a good tool, used so little in HP-UX.



VK2COT - Dusan Baljevic
Honored Contributor

Re: access controls on su

[ghosha@/home/ghosha] #su -
Last successful login for root: Fri Jan 23 09:48:35 EST5EDT 2009
Last unsuccessful login for root: Thu Jan 22 12:04:28 EST5EDT 2009
su: Not a member of the SU_ROOT_GROUP defined in /etc/default/security
[ghosha@/home/ghosha] #

su to root account is prevented if the users are NOT members of easroot. But NOT available for any other accounts.